Minimal oversight of GCHQ hacking is 'a major scandal'

GCHQ's hacking operations are conducted with little to no oversight and risk "undermining the security of the internet", leading online privacy experts have warned. Even when oversight is required, GCHQ has revealed that ministers don't have the technical knowledge to understand what it is doing. Privacy campaigners today described the issue as "a major scandal".

Details of GCHQ's hacking operations and attempts to weaken encryption were revealed in a parliamentary committee report into the UK's surveillance capabilities. The Intelligence and Security Committee (ISC) review, published last week, revealed GCHQ makes the majority of decisions about hacking, and its operations to weaken encryption, internally and without telling ministers exactly what it is doing.

Advertisement

[Quote##"This is not oversight: it is a policy of
'trust us, we know what we're doing'"##Jim Killock##Company¬Executive director, Open Rights Group##Id¬um9ui##DisplayStyle¬1]

GCHQ's hacking operations, which it defines as "computer network exploitation" are part of a "general power" afforded to the spy agency with "no additional ministerial authorisation", according to the ISC's report. While a warrant is required for hacking operations inside the UK, outside the UK the spy agency uses five broad "Section 7 class-based Authorisations", which allow it to carry out hacking without specific oversight.

Ministers are only asked to judge GCHQ's hacking operations when they may cause serious economic or political risk.

Read next

Google is getting serious about hardware, but it won't win easily

ByMatthew Reynolds

Even in these instances the report revealed the Foreign and Commonwealth Office (FCO), whose remit GCHQ falls under, doesn't have the technical knowledge to understand what GCHQ is doing. The lack of oversight could also lead to internet security being weakened, privacy experts told WIRED.co.uk. "This is not oversight: it is a policy of 'trust us, we know what we're doing'," said Jim Killock, executive director of civil liberties organisation Open Rights Group. "It is shocking that ministers and the ISC aren't checking their risk analysis and admit the FCO lacks the skills to do so."

The GCHQ listening post at Bude, Cornwall is located near to cables that carry vast amounts of internet traffic around the world

Shutterstock

In its report, the ISC expressed concern that GCHQ's decisions about hacking were taken internally. It said such operations "may expose the public to greater risk and could have potentially serious ramifications". The ISC added that ministers "must be kept fully informed of all such work". The ISC also makes a distinction between GCHQ's hacking operations and its efforts to weaken encryption. In relation to hacking, the ISC notes there is inadequate oversight with attacks on encryption apparently subject to no oversight whatsoever.

Advertisement

Following publication of the ISC's report, foreign secretary Philip Hammond praised the "independent scrutiny and oversight" that it provides. Hammond also said that the actions of the UK's intelligence agencies, including GCHQ, were subject to "detailed ministerial oversight", despite GCHQ's admission that decisions about its hacking activities involve no oversight.

Killock slammed the committee's "inadequate" response, arguing that the "scandalous lack of oversight" looks set to continue. Even if the ISC's recommendations are adopted by government, no changes will be made to increase oversight of GCHQ's hacking operations, according to the report.

Read next

Transmitting from London to the WIRED World

ByGreg Williams

GCHQ admitted the FCO was "not well placed to assess the complex technical risk" of its hacking operations. In evidence given to the ISC Sir Iain Lobban, then director of GCHQ, dismissed the idea that its operations caused "large scale damage to the internet" as "misplaced". Killock, an expert witness called on by the ISC for its report, claimed that "technical expertise seems to be absent from all levels of oversight".

The oversight of GCHQ's hacking activities is minimal, and when it comes to weakening encryption, it appears to be nonexistentCaroline Wilson Palow, Legal officer, Privacy International

Advertisement

Caroline Wilson Palow, legal officer at rights group

Privacy International described the revelations as "very troubling", adding that GCHQ's hacking operations and efforts to weaken encryption were "undermining the security of the internet". "State-sponsored hacking into phones, computers, and networks weakens the communications systems we rely on everyday, making us less secure in the process and more vulnerable to malicious actors online. It violates our right to privacy," she told WIRED.co.uk. "The oversight of GCHQ's hacking activities is minimal, and when it comes to weakening encryption, it appears to be nonexistent. As the ISC report reveals, to the extent that ministers oversee GCHQ's overseas hacking activity at all, it is only to grant broad authorisations that essentially give GCHQ carte blanche to hack."

NSA contractor and former CIA technical employee Edward Snowden announced on 9 June that he was the source for documents published about the NSA’s secret surveillance programmes

Image courtesy of the Guardian

Read next

Drug safety YouTubers face a quiet crisis at the mercy of algorithms

ByAnna Codrea-Rado

She said that GCHQ should only be allowed to engage in such activities with strong safeguards and oversight in place. "The fact that the agency seems to have taken powers unto itself without parliamentary oversight, or even effective ministerial authorisation, should worry us all," she said.

GCHQ's alleged hacking abilities form a major part of its cybersecurity arsenal. The spy agency was linked to the attack on Sim card maker Gemalto, from which billions of mobile device encryption keys were reportedly stolen -- although the firm has claimed said the attack was ineffective. GCHQ has also been linked to a 2012 attack on Belgium's largest telecommunications provider, Belgacom.

In July 2014 a leaked GCHQ document detailed more than 100 tools it apparently used to launch attacks on everything, from Twitter and Blackberry to Facebook and Second Life. Leaked documents also revealed GCHQ's use of a malware toolkit named after characters in TV series The Smurfs. An ability codenamed Nosey Smurf turns on Android and iPhone microphones to spy on conversations, while Tracker Smurf and Dreamy Smurf handle device geolocation tracking and the covert switching on of phones respectively. Online rights charity Privacy International has accused GCHQ of "unlawfully" spying on people using such malware.

Even when GCHQ only exploits a known vulnerability, or keeps a stash of zero-days for its own use, not getting such vulnerabilities fixed instead impacts against global cybersecurity.Eerke Boiten, Senior lecturer in computer science, University of Kent

The spy agency's range of tools relies on a number of exploits -- known bugs, bugs found by GCHQ, information shared by the NSA and bugs placed into software by agents.

Read next

How to delete or deactivate a Facebook account permanently

ByK.G Orphanides

Weaknesses exploited by GCHQ, or that it creates, could fundamentally damage online security. Security engineers have argued that they need to be made aware of rare bugs, many of which GCHQ reportedly relies on to gather information. Such information would allow engineers to better secure online infrastructure, making the internet safer for all users

In evidence given to the ISC, GCHQ said that the "lion's share" of the vulnerabilities it used were "publicly known". However leaked documents have revealed its use of both zero-day exploits -- which use previously unknown weaknesses to attack software -- as well as exploits it has found or created.

Concerns have also been raised about GCHQ's dual remit of hacking computer systems and networks while also ensuring the strength of Britain's cybersecurity. The agency hoped its classified Edgehill decryption program would be able to crack encryption used by 15 major internet companies and 300 virtual private networks (VPNs) by 2015, according to leaked documents. It has been claimed such widespread and sophisticated attacks on encryption could fundamentally weaken online security.

In September 2013 academics specialising in cryptography warned that "by weakening all our security so that they can listen to the communication of our enemies, [GCHQ and the NSA] also weaken our security against our potential enemies". In an open letter the academics called on GCHQ "to reveal what systems have been weakened so that they can be repaired, and to create a proper system of oversight".

Shutterstock

Eerke Boiten, senior lecturer in computer science at the University of Kent, and one of the co-signatories of the open letter, today told WIRED.co.uk the lack of oversight was "fundamentally unacceptable". He argued that GCHQ's dual remit of attacking enemies and bolstering the UK's cybersecurity created an awkward conflict of interest. "These goals clash and whenever they do [the] ISC is now telling us that GCHQ resolves the conflict unilaterally and without specific legislation, oversight, or accountability," he explained. "Even when GCHQ only exploits a known vulnerability, or keeps a stash of zero-days for its own use, not getting such vulnerabilities fixed instead impacts against global cybersecurity. If that is ever the correct decision to make, this balancing act should be subject to oversight and accountability."

He accused the ISC or being "remiss" in its response. "The recommendations plug a lot of gaps, but not nearly all. They also fail to draw any conclusions from their own lack of awareness of a large range of activities until this

Advertisement

[report]."

In a statement, GCHQ maintained its policy of not commenting on intelligence matters. A spokesperson for the spy agency said its operations were subject to "rigorous oversight", adding that its "operational processes rigorously support this position".